Deception & Inspection: Gathering intelligence & increasing the red team infrastructure resiliency

Introduction This article primarily targets the red teams. It demonstrates several ways of gathering intelligence about the public security scanners & analyzers and the security platforms and tools used by the target organization. Keywords: C2 Infrastructure resiliency | Cyber Intelligence | Dynamic URL & executable Analyzers | Security Defense Tooling Behavior Benchmark Objectives Whether you’re… Continue reading →

File WatchTower: Leveling-up SOC Capabilities

These are abstract ideas. More research and tests will be needed to determine the effectiveness of this project. The problem? SOCs analysts spend time analyzing the “Unknowns.” Lack of sufficient intelligence about new files causes slow response and can lead to other higher risks; compromise, post-exploitation, and other malicious activities. File WatchTower — The Early… Continue reading →

Ransomware: Detect & Respond

Hunting for Suspicious DNS Communications

Introduction Adversaries are continuously developing techniques to reduce the detection rate of their malicious activities on an enterprise network; for example, they utilize stenography for data exfiltration, malicious software delivery, and covert C2 communications. This article provides an overview on detecting and hunting suspicious DNS connections in an enterprise network. Requirements In order to be… Continue reading →

Establishing an encrypted communication channel over HTTP

In my previous article “Establishing a secure communication channel over HTTP” , I introduced a demo on how to exchange encrypted information over the HTTP protocol using RSA & AES algorithms. This article provides an introduction to how to make encrypted communications between two endpoints over HTTP. The goal is to transmit data securely from… Continue reading →

Establishing a secure communication channel over HTTP

This article provides an introduction to how to make encrypted communications between two endpoints over HTTP. The goal is to transmit data securely from one endpoint to another without the need for SSL/HTTPS . To establish an encrypted communication channel, we will take advantage of the RSA and AES algorithms. RSA & AES are the… Continue reading →

Hunting ngrok Activity

Ngrok is a genuine software and mainly used by developers to expose local web servers or any other TCP service to the internet. However, ngrok is now widely abused by threat actors and abused in multiple ways including persistence & data exfiltration purposes. ngrok exposes local services to the internet by wrapping TCP connections under… Continue reading →

SharpSpray | Active Directory Password Spraying Tool

SharpSpray is a Windows domain password spraying tool written in .NET C#. SharpSpray is a C# port of DomainPasswordSpray with enhanced and extra capabilities. This tool uses LDAP Protocol to communicate with the Domain active directory services. Features Can operate from inside and outside a domain context. Exclude domain disabled accounts from the spraying. Auto… Continue reading →

SharpStrike | Post-exploitation tool | CIM & WMI Inside

Introduction SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session. This project is a rewrite and expansion on @Matt_Grandy_ CIMplant & @christruncer WMImplant SharpStrike allows you to gather data about a remote system, execute commands, exfiltrate… Continue reading →

ESS Notifier – Improving SOC Capabilities and Response

Introduction ESS Notifier is a notable security event scanner & notifier for Splunk Enterprise Security. The purpose of this tool is to send/push notifications via Email/Slack/REST API whenever a new security notable event is triggered on Splunk ESS. This tool is ideally best used by Managed Security Service Providers (MSSP) who provide SOC as a… Continue reading →

C99.sh

. . . Security Focus . . .